Académique Documents
Professionnel Documents
Culture Documents
Author
John Downing
Primary Reviewers
Ian Jirka, Joseph Chan, Lincoln Atkinson, Olof Mases, Ruhiyyih Mahalati, Smita Mahalati, and Tim Helton
Secondary Reviewers
Eugene Bykov, Clive Eastwood, Doug Bradley, Jakub Oleksy, Ranga Kalyanasundaram, and Vitaly Filimonov
Feedback
Send suggestions and comments about this document to momdocs@microsoft.com. Please include the security guide name and published date with your feedback.
The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication. This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. Unless otherwise noted, the companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted in examples herein are fictitious. No association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. 2009 Microsoft Corporation. All rights reserved. Microsoft, Active Directory, ActiveSync, Internet Explorer, Jscript, SharePoint, SQL Server, Visio, Visual Basic, Visual Studio, Win32, Windows, Windows PowerShell, Windows Server, and Windows Vista are trademarks of the Microsoft group of companies. All other trademarks are property of their respective owners.
Revision History
Release Date Changes
May, 2009
The Operations Manager 2007 R2 release of this guide contains the following updates and additions: y y Information for deploying agents to UNIX and Linux systems was added. A list of hash values for UNIX and Linux agents was added.
Contents
Security with Operations Manager 2007 R2 ................................................................................ 5 About the Operations Manager 2007 Security Guide ............................................................... 5 New Security Features in Operations Manager 2007 ............................................................... 6 Account Information for Operations Manager 2007 .................................................................. 6 How to Change IIS ReportServer Application Pool Account Password for Operations Manager 2007 .................................................................................................................11 How to Change the Reporting Server Execution Account Password in Operations Manager 2007 ................................................................................................................................12 How to Change the SDK and Config Service Accounts in Operations Manager 2007 ...........12 How to Change the Windows Service Account Password for the SQL Server Reporting Service in Operations Manager 2007 ...............................................................................13 How to Set the Action Account on Multiple Computers in Operations Manager 2007 ...........14 Role-based Security in Operations Manager 2007 ..................................................................16 Run As Accounts and Run As Profiles in Operations Manager 2007 .......................................19 How to Create a Run As Account in Operations Manager 2007 ...........................................24 How to Create and Configure a Run As Profile in Operations Manager 2007 .......................26 How to Modify an Existing Run As Profile ............................................................................29 Authentication and Data Encryption for Windows Computers in Operations Manager 2007 .....30 How to Configure the Operations Console to Use SSL When Connecting to a Reporting Server in Operations Manager 2007.................................................................................37 How to Obtain a Certificate Using Windows Server 2003 Enterprise CA in Operations Manager 2007 .................................................................................................................38 How to Obtain a Certificate Using Windows Server 2003 Stand-Alone CA in Operations Manager 2007 .................................................................................................................42 How to Obtain a Certificate Using Windows Server 2008 Enterprise CA in Operations Manager 2007 .................................................................................................................46 How to Obtain a Certificate Using Windows Server 2008 Stand-Alone CA in Operations Manager 2007 .................................................................................................................50 How to Remove Certificates Imported with MOMCertImport in Operations Manager 2007 ...55 How to Change the Run As Account Associated with a Run As Profile ................................56 How to Configure an HTTPS Binding for a Windows Server 2008 CA ..................................57 Authentication and Data Encryption for UNIX and Linux Operating Systems ...........................57 How to Manually Install Certificates for Cross-Platform Support ...........................................59 Using a Firewall with Operations Manager 2007 .....................................................................60 How to Configure the Operations Manager Database to Listen on a Specific TCP/IP Port....65 How to Configure the Reporting Data Warehouse to Listen on a Specific TCP/IP Port .........67 Using Certificates with ACS in Operations Manager 2007 .......................................................69 How to Configure Certificates on the ACS Collector in Operations Manager 2007................71 How to Configure Certificates on the ACS Forwarder in Operations Manager 2007 .............72
Security Considerations for Agentless Management in Operations Manager 2007 ..................73 Web Console Security in Operations Manager 2007 ...............................................................74 Appendix A - List of Operations in Operations Manager 2007 .................................................75 Appendix B - List of Hash Values for UNIX and Linux Agents .................................................79
In This Section
Account Information for Operations Manager 2007 Role-based Security in Operations Manager 2007 Run As Accounts and Run As Profiles in Operations Manager 2007 Authentication and Data Encryption for Windows Computers in Operations Manager 2007 Authentication and Data Encryption for UNIX and Linux Operating Systems Using Certificates with ACS in Operations Manager 2007 Security Considerations for Agentless Management in Operations Manager 2007 Web Console Security in Operations Manager Describes the accounts in Operations Manager 2007 that you will provide credentials for. Describes how role-based security is implemented. Describes how Run As Accounts and Run As Profiles are used. Describes how and when data between various Operations Manager components is encrypted and instructions about how to obtain and use certificates. Describes how to securely deploy agents to UNIX-based and Linux-based computers. Describes when certificates must be used so that authentication can take place between the ACS Forwarder and the ACS Collector. Provides information about security considerations for agentless management. Shows how to use Secure Sockets Layer (SSL) with the Web console in Operations 5
2007 Appendix A - List of Operations in Operations Manager 2007 Appendix B - List of Hash Values for UNIX and Linux Agents
Manager 2007. Lists the operations available, broken out by profile. Lists the hash values for the UNIX and Linux agents
External Resources
For an online version of help, see Operations Manager 2007 Help (http://go.microsoft.com/fwlink/?LinkID=77739).
User Roles
You can access and manipulate Operations Manager 2007 through several methods: through the Operations console, the Web console, Windows PowerShell, or custom applications. In all cases, role-based security ensures that the user credentials supplied are members of a user role in Operations Manager 2007.
MonitoringHost.exe is the process that runs these actions using the credentials specified in the action account. A new instance of MonitoringHost.exe is created for each account.
A common approach is to specify a domain account, which allows you to select a user with the least amount of privileges necessary for your environment. On computers running Windows Server 2003, Windows Server 2003 R2, and the Windows Vista operating system, the default action account must have the following minimum privileges: y y y Member of the local Users group Member of the local Performance Monitor Users group Allow log-on-locally permission (SetInteractiveLogonRight) Important The minimum privileges described above are the lowest privileges that Operations Manager 2007 supports for the action account. Other Run As Accounts can have lower 7
privileges. The actual privileges required for the Run As Accounts depend upon which management packs are running on the computer and how they are configured. For more information about which specific privileges are required, see the appropriate management pack guide. Keep the following points in mind when choosing credentials for the action account: y A low-privileged account can be used only on computers running Windows Server 2003, Windows Server 2003 R2, and Windows Vista. On computers running Windows 2000 and Windows XP, the action account must be a member of the local Administrators security group or Local System. A low-privileged account is all that is necessary for agents that are used to monitor domain controllers. Using a domain account requires password updating consistent with your password expiration policies. You must stop and then start System Center Management service if the action account has been configured to use a low-privilege account and the low-privilege account was added to the required groups while the System Center Management service was running.
y y y
Microsoft SQL Server 2005 Microsoft SQL Server 2005 Microsoft SQL Server 2005 Microsoft SQL Server 2005 Operations Manager 2007
Application
Database/Role
Role/Account
Data Warehouse Action Account Data Warehouse Configuration Synchronization Reader Account
If you change the password for the credentials you entered for the Data Warehouse Write account, you will need to make the same password changes for the following accounts: y y Run As Account called Data Warehouse Action Account Run As Account called Data Warehouse Configuration Synchronization Reader Account
Microsoft SQL Server 2005 Microsoft SQL Server 2005 Operations Manager 2007 Operations Manager 2007 Operations Manager 2007 IIS Windows Service
Reporting Server Installation Instance OperationsManagerDW User Role User Role Run As Account Application Pool SQL Server Reporting Services
Report Server Execution Account OpsMgrReader Operations Manager Report Security Administrators Operation Manager Report Operators Data Warehouse Report Deployment Account ReportServer$<INSTANCE> Log On account
If you change the password for the credentials you entered for the Data Reader account, you will need to make the same password changes for the following accounts: 10
y y y y
Report Server Execution Account The SQL Server Reporting Services service account on the computer hosting SQL Server Reporting Services (SRS) The IIS ReportServer$<INSTANCE> Application Pool account Run As Account called Data Warehouse Report Deployment Account
See Also
How to Change the Reporting Server Execution Account Password in Operations Manager 2007 How to Change the SDK and Config Service Accounts in Operations Manager 2007 How to Change the Windows Service Account Password for the SQL Server Reporting Service in Operations Manager 2007 How to Set the Action Account on Multiple Computers in Operations Manager 2007
How to Change IIS ReportServer Application Pool Account Password for Operations Manager 2007
If the password changes for the account you specified as the Data Reader Account during the setup of the reporting server, you can use the following procedure to change the IIS ReportServer Application Pool account password on the computer running SQL Server Reporting Services. To change the IIS ReportServer Application Pool account 1. On the computer running SQL Server Reporting Services, on the Windows desktop, click Start, point to Programs, point to Administrative Tools, and then click Internet Information Services (IIS) Manager. 2. In Internet Information Services (IIS) Manager, expand <Computer Name> (local computer), expand Application Pools, right-click ReportServer<INSTANCE>, and then click Properties. 3. In the ReportServer<INSTANCE> Properties dialog box, click Identity. 4. In the Password text box, type the new password, and then click OK. 5. Close Internet Information Services (IIS) Manager.
See Also
How to Change the Reporting Server Execution Account Password in Operations Manager 2007 How to Change the Windows Service Account Password for the SQL Server Reporting Service in Operations Manager 2007
11
How to Change the Reporting Server Execution Account Password in Operations Manager 2007
If the password changes for the account you specified as the Data Reader Account during the setup of the reporting server, use the following procedure to change the Execution account password on the reporting server. To change the Reporting Server Execution account password 1. On the computer hosting the Reporting Server, on the Windows desktop, click Start, point to Programs, point to Microsoft SQL Server 2005, point to Configuration Tools, and then click Reporting Services Configuration. 2. In the Reporting Server Installation Instance Selection dialog box, click Connect. 3. In the Reporting Services Configuration Manager pane, in the left pane, click Execution Account. 4. In the Execution Account pane, type the new password for the execution account. 5. Click Apply, and then click Exit to close Reporting Services Configuration Manager.
See Also
How to Change IIS ReportServer Application Pool Account Password for Operations Manager 2007 How to Change the Windows Service Account Password for the SQL Server Reporting Service in Operations Manager 2007
How to Change the SDK and Config Service Accounts in Operations Manager 2007
During the install of Operations Manager 2007, you are prompted for credentials for two services. The names for these services changed with the introduction of Operations Manager 2007 R2. If you want to change the password for the credentials that you provided or use a different set of credentials, follow the procedure for the version of Operations Manager that you are using. Note The same credentials must be used for both services. To change credentials or password for the Operations Manager 2007 SP1 services 1. On the computer hosting the root management server, on the Windows desktop, click Start, and then click Run. 2. In the Run dialog box, type services.msc, and then click OK. 3. In the list of services, right-click SDK Service, and then click Properties. 4. In the SDK Properties dialog box, click the Log On tab. 5. Enter new credentials or change the password of the existing credentials, and then click 12
OK. 6. In the list of services, right-click Config service, and then click Properties. 7. In the Config Properties dialog box, click the Log On tab. 8. Enter new credentials or change the password of the existing credentials, and then click OK. 9. Stop and restart both the SDK service and Config service. To change credentials or password for the Operations Manager 2007 R2 services 10. 0. 1. On the computer hosting the root management server, on the Windows desktop, click Start, and then click Run. 2. In the Run dialog box, type services.msc, and then click OK. 3. In the list of services, right-click System Center Data Access service, and then click Properties. 4. In the System Center Data Access Properties dialog box, click the Log On tab. 5. Enter new credentials or change the password of the existing credentials, and then click OK. 6. In the list of services, right-click System Center Management Configuration service, and then click Properties. 7. In the System Center Management Configuration Properties dialog box, click the Log On tab. 8. Enter new credentials or change the password of the existing credentials, and then click OK. 9. Stop and restart both the System Center Data Access service and System Center Management Configuration service.
How to Change the Windows Service Account Password for the SQL Server Reporting Service in Operations Manager 2007
If the password changes for the account you specified as the Data Reader Account during the setup of the reporting server, use the following procedure to change the Windows service account for the SQL Server Reporting Services password on the computer running SQL Server Reporting Services (SRS). To change the Windows service account for the SQL Server Reporting Services 1. On the computer running SQL Server Reporting Services, on the Windows desktop, click Start, point to Settings, and then click Run. 2. In the Run dialog box, type services.msc, and then click OK. 3. In Services, scroll down the list, right-click SQL Server Reporting Services 13
(<INSTANCE>), and then click Properties. 4. In the SQL Server Reporting Services (<INSTANCE>) Properties dialog box, click Log On. 5. In the Password and Confirm Password text boxes, type the new password, and then click OK. 6. Close Services, and then close Administrative Tools.
See Also
How to Change IIS ReportServer Application Pool Account Password for Operations Manager 2007 How to Change the Reporting Server Execution Account Password in Operations Manager 2007
How to Set the Action Account on Multiple Computers in Operations Manager 2007
This procedure shows you how to use a Windows PowerShell script, set-ActionAccount.ps1, to set the action account on multiple computers. You will need to download the setActionAccount.ps1 script to the computer that hosts the Operations console and Operations Manager 2007 Command Shell. For more information about the set-ActionAccount.ps1 script see the SC Ops Mgr 2007 Resource Kit (http://go.microsoft.com/fwlink/?LinkId=92596). You can specify the computers you want to change the action account for by either creating a new computer group or by selecting a computer group from discovered inventory. Both procedures are described in the following sections. For the purposes of these procedures, it is assumed that the set-AcitonAccount.ps1 script was downloaded to a user's My Documents folder on the C drive. To set the action account on multiple computers 1. Log on to the computer with an account that is a member of the Operations Manager Administrators role for the Operations Manager 2007 management group. 2. In the Operations console, click the Monitoring button. Note When you run the Operations console on a computer that is not a management server, the Connect To Server dialog box displays. In the Server Name text box, type the name of the Operations Manager 2007 management server that you want the Operations console to connect to. 3. In the Monitoring pane, right-click Monitoring, point to New, and then click State View. 4. In the Properties dialog box, in the Name text field, enter a new name for this view (for example, My Computer Group). 5. On the Criteria tab, in the Show data related to list box, click the ellipsis () button. 14
6. In the Select a Target Type dialog box, in the Look for text field, type Computer Group, click View all Targets, select Computer Group in the list, and then click OK. 7. In the Properties dialog box, click OK. 8. In the Monitoring pane, expand Monitoring, and then click the view you just created (for example, click My Computer Group). 9. In the results pane (for example, the My Computer Group results pane), right-click the computer group containing target computers that you want to change the action account for, click Open, and then click Command Shell. 10. In the Windows PowerShell window, type the path to the script followed by the name of the script, and then followed by the action account you want to change to. For example, type c:\Documents and Settings\<user>\My Documents\set-ActionAccount "ActionAccount", (where ActionAccount are the credentials (domain\username) for the action account that you want to set on multiple computers), and then press ENTER. To set the action account on multiple computers using discovered inventory 1. Log on to the computer with an account that is a member of the Operations Manager Administrators role for the Operations Manager 2007 management group. 2. In the Operations console, click the Monitoring button. Note When you run the Operations console on a computer that is not a management server, the Connect To Server dialog box displays. In the Server Name text box, type the name of the Operations Manager 2007 management server that you want the Operations console to connect to. 3. In the Monitoring pane, expand Monitoring, and then click Discovered Inventory. 4. In the Actions pane, expand State Actions, and then click Change target type. 5. In the Select a Target Type dialog box, select View all targets. 6. In the Look for text box, type Computer Group. 7. In the Target column, click Computer Group, and then click OK. 8. In the Discovered Inventory (Computer Group) results pane, right-click the computer group containing target computers that you want to change the action account for, click Open, and then click Command Shell. 9. In the Windows PowerShell window, type the path to the script followed by the name of the script, and then followed by the action account you want to change to. For example, type c:\Documents and Settings\<user>\My Documents\set-ActionAccount "ActionAccount", (where "ActionAccount" are the credentials (domain\username) for the action account that you want to set on multiple computers), and then press ENTER.
15
Operation/Privilege
A securable action, such as resolving alerts, executing tasks, overriding monitors, creating user roles, viewing alerts, viewing events, and so on. For a list of the available operations, see Appendix A. A collection of operations that are granted to a persona; for example, Administrator or Operator. Operations Manager 2007 contains the following profiles: y y y y y y y Administrator Advanced Operator Author Operator Read-Only Operator Report Operator Report Security Administrator
Profile
Defines the boundaries of the running of profile operations, for example, tasks and groups. The combination of a profile and scope. An association of Windows users and groups to Operations Manager roles.
16
Scope
All management pack objects, for example, attributes, monitors, object discoveries, rules, tasks, and views, are scoped by targets (also called types or classes). A target as defined in a management pack represents a certain type of object. All objects of this type share some common characteristics. Everywhere objects of this type exist there is a common way of discovering them, a common set of properties that can be discovered, and a common way to monitor them. By default, before any management packs are imported, 163 targets are created in Operations Manager 2007. Groups are logical collections of objects, such as Windows-based computers, hard disks, or instances of Microsoft SQL Server. Tasks can either be an agent task or a console task. Agent tasks can run remotely on an agent or a management server, while console tasks can run only on the local computer. In addition, console tasks are not scoped by user roles; they are available to all users. In Operations Manager 2007, you can have a batch file or script run as a task remotely or locally, but if the task is generated by an alert or an event, it can only be run locally. Views are groups of managed objects that have a commonality, which is defined in the view properties. When you select a view, a query is sent to the Operations Manager database and the results of the query are displayed in the results pane.
User Role
In Operations Manager 2007, a user role is created by defining a union of profile and scope. You create a user role from within one of the five predefined profiles, or one of the seven predefined profiles if Reporting has been installed, and then define an appropriate scope. The following table defines the profile types, and an appropriate scope for each.
Profile type Profile description Role scope
Administrator
Has full privileges to Operations Manager; no scoping of the Administrator profile is supported. Has limited change access to Operations Manager configuration; ability to create overrides to rules; monitors for targets or groups of targets within the configured scope. Advanced Operator also inherits Operator privileges. Has ability to create, edit, and delete tasks, rules, monitors,
Full access to all Operations Manager data, services, administrative, and authoring tools. Can be scoped against any groups, views, and tasks currently present and those imported in the future.
Advanced Operator
Author
Profile type
Profile description
Role scope
and views within configured scope. Author also inherits Advanced Operator privileges.
tasks currently present and those imported in the future. The Author role is unique in that this is the only profile type that can be scoped against the targets. Can be scoped against any groups, views, and tasks currently present and those imported in the future.
Operator
Has ability to edit or delete alerts, run tasks, and access views according to configured scope. Operator also inherits Read-Only Operator privileges. Has ability to view alerts and access views according to configured scope.
Read-Only Operator
Can be scoped against any groups and views currently present and those imported in the future.
Has ability to view reports Globally scoped. according to configured scope. Enables integration of SQL Reporting Services security with Operations Manager roles. No scope.
Important Adding a computer account to a user role member would allow all services on that computer to have SDK access. It is recommended that you do not add a computer account to any user role. Except for the Administrator role, you can add Active Directory security groups or individual accounts to any of these predefined roles. You can add Active Directory security groups only to the Administrator role. Adding users or a group to a role means that those individuals will be able to exercise the given role privileges across the scoped objects (including any inherited objects). Note The predefined roles are globally scoped, giving them access to all groups, views, targets, and tasks, except for Report Security Administrator. Operations Manager also allows you to create custom roles based on the Operator, Read-Only Operator, Author, and Advanced Operator profiles. When you create the role, you can further narrow the scope of groups, tasks, and views that the role can access. For example, you can 18
create a role entitled "Exchange Operator" and narrow the scope to only Exchange-related groups, views, and tasks. User accounts assigned to this role will only be able to run Operatorlevel actions on Exchange-related objects. Important Make sure that you create a domain security group for the Operations Manager Administrators role. This group is required to be in place during the first setup run for a management group. For more information about how to administer security roles, accounts, and profiles in Operations Manager 2007, see the topic How to Administer Security Roles, Accounts, and Profiles in Operations Manager 2007 (http://go.microsoft.com/fwlink/?LinkId=88131).
A Run As account allows you to specify the necessary privileges for use with rules, tasks, monitors, and discoveries targeted to specific computers on an as-needed basis. Data is encrypted between the root management server and the targeted computer when credentials are being transferred and the credentials are securely stored on the targeted computer. A particular task, rule, monitor, or discovery can be associated with a Run As profile. This association is made when the management pack is created. The Operations Manager 19
Administrator has the option of associating other Run As accounts for the particular Run As profile on a targeted computer. For example, Alice is working on a SQL management pack and is creating a Get DB Statistics task. Alice knows that the action account will not have sufficient rights to run this task; however, Bob, the SQL Administrator, does. Alice needs to configure the task to run with Bobs credentials. While authoring the management pack, Sam creates a Run As profile called DB Operators and associates it with the task module. When the SQL management pack containing the Get DB Statistics task is imported into Operations Manager 2007, the Run As profile associated with the task will be included in the import and DB Operators will appear in the list of available Run As profiles. The Operations Manager 2007 administrator will create a Run As account configured with Alices credentials. The Run As account is then associated with the Run As profile that the task will use. The target computer on which the Run As account will be used is explicitly specified in the Run As profile. Note The default account for the Run As profile is the action account. Give appropriate thought to what the action account should be and choose an account with appropriate permissions. In most instances, a domain administrator would not be a good choice. Operations Manager 2007 administrators can associate different Run As accounts for different target computers with each Run As profile. This association is useful in cases in which the Run As profile is used on a different computer when each computer requires a different credential. Alice has user rights to run the task on computer 1 running SQL Server, while Bob has user rights on computer 2 running SQL Server. In this situation, separate Run As accounts are created for Alice and Bob and both are associated with the single Run As profile. This assignment must be made on two separate computers.
Account used by Active Directorybased agent assignment module to publish assignment settings to Active Directory. This account will be used to automatically diagnose agent failures.
None
20
Name
Description
Run As account
If specified, used by Operations None Manager 2007 to run all client monitoring modules. If not specified, Operations Manager 2007 uses the default action account. Account used by the Operations Manager management pack to monitor connection health to the connected management groups. None
If specified, this account is None used to run all Data Warehouse collection and synchronization rules instead of the default action account. If this account is not overridden by the Data Warehouse SQL Server Authentication account, this account is used by collection and synchronization rules to connect to the Data Warehouse databases using Windows integrated authentication. This account is used by Data Warehouse report autodeployment procedures to execute various report deployment-related operations. Data Warehouse Report Deployment Account
If specified, this login name and Data Warehouse SQL Server password is used by collection Authentication Account and synchronization rules to connect to the Data Warehouse databases using SQL Server authentication. The default Health Service Action Account. The account credentials provided during setup. 21
Name
Description
Run As account
None
Windows account used by None notification rules. Use this account's e-mail address as the e-mail and instant message 'From' address. None
Operational Database Account This account is used to read and write information to the Operations Manager database. Privileged Monitoring Account
This profile is used for None monitoring, which can only be done with a high level of privilege to a system; for example, monitoring that requires Local System or Local Administrator permissions. This profile defaults to Local System unless specifically overridden for a target system. If specified, this login name and Reporting SDK SQL Server Authentication Account password is used by SDK Service to connect to the Data Warehouse databases using SQL Server authentication. This profile is reserved and must not be used. None
Account used by the validate Local System Windows Account alert subscription module that validates that notification subscriptions are in scope. This profile needs administrator rights. This profile is used for all discovery and monitoring of Windows Cluster components. This profile defaults to used action accounts unless None
22
Name
Description
Run As account
specifically populated by the user. WS-Management Action Account This profile is used for WSManagement access. None
distributed to SQL Server2. Account information sent between the management server and the designated computer is encrypted.
See Also
Account Information for Operations Manager 2007 Role-based Security in Operations Manager 2007
To create a Run As Account 1. Log on to the Operations console with an account that is a member of the Operations Manager Administrators role for the Operations Manager 2007 management group. 2. In the Operations console, click Administration. 3. In the Administration pane, expand Administration, expand Run As Configuration, right-click Accounts, and then click Create Run As Account. 4. In the Create Run As Account Wizard, on the Introduction page click Next. 5. On the General Properties page, do the following: a. Select Windows in the Run As Account type: list. b. Type a display name in the Display Name text box, c. Optionally, type a description in the Description box. d. Click Next. 6. On the Credentials page, type a user name, and its password, and then select the domain for the account that you want to make a member of this Run As Account. 7. Click Next. 8. On the Distribution Security page, select the Less secure or More secure option as appropriate. 9. Click Create. 10. On the Run As Account Creation Progress page, click Close. When you create a Run As Account you are warned that you must associate the Run As Account with a Run As profile, and you are not presented with the option to configure Run As Account credential distribution. Both of these activities can be accomplished in the Run As Profile wizard. Alternately, you can configure Run As Account credential distribution by editing the properties of the Run As Account as shown next. To modify Run As Account properties 1. In the Operations console, click Administration. 2. In the Administration pane, expand the Administration node, expand the Run As Configuration node, and select the Accounts container. 3. In the results pane, double click the Run As Account that you want to edit to open its properties. 4. On the Run As Account Properties page you can edit values on the General Properties, Credentials, or the Distribution tabs. In this case, select the Distribution tab. 5. On the Distribution tab, in the Selected computers: area, click Add to open the Computer Search tool. 6. On the Computer Search page, click the Option: list and select one of the following 25
options: a. Search by computer name (Default), then type in the computer name in the Filter by: (Optional) box.
b. Show suggested computers, if you have already associated the Run As Account object with a Run As profile, a list of discovered computers that host the monitored service are presented here. c. Show management servers, in some cases, for example cross platform monitoring, all monitoring is performed by a management server and therefore the credentials have be distributed to the management servers that is performing the monitoring.
7. Optionally, type in a value in the Filter by: (Optional) box to narrow the search result set and click Search. A list of computers that match the search criteria is displayed in the Available items box. 8. Select the computers that you want to distribute the credentials to, and click Add. The computers appear in the Selected Items box. 9. Click OK. This returns you to the Distribution tab and the computers are displayed. Click OK.
See Also
How to Create and Configure a Run As Profile in Operations Manager 2007
As Profile. If this is your first time through the Run As Profile wizard, be sure to read the text on the Introduction page. 4. Click Next. 5. On the General Properties page, do the following: a. Type a display name for the Run As Profile in the Display name box. b. Optionally, enter a description for the Run As Profile. c. Click New for the Select destination management pack list to create an override management pack if you have not already created one. If you have already created an override management pack, select it from the drop down list and skip to step 9.
6. In the Create a Management Pack wizard on the General Properties page, type a name in the Name box. Optionally, enter a description for the management pack. Then click Next. Tip By default, when you create a management pack object, disable a rule or monitor, or create an override, Operations Manager saves the setting to the Default Management Pack. As a best practice, you should create a separate management pack for each sealed management pack that you want to customize, rather than saving your customized settings to the Default Management Pack. For more information, see Customizing Management Packs http://go.microsoft.com/fwlink/?LinkId=140601 7. On the Knowledge Article page, click Edit if you want to provide summary, configuration, additional information, and external knowledge sources information about this management pack. 8. Click Create. This returns you to the General Properties page of the Run As Profile wizard. 9. Click Next. 10. On the Run As Accounts page, click Add to open the Add a Run As Account page. 11. Click New which starts the Create Run As Account Wizard and opens the General Properties page. 12. From the Run As Account type box, select the type of account that you need to create. This is specified in the management pack guide. 13. Type a name in the Display name: box, optionally type a description, and then click Next. 14. On the Credentials page type the user name and password of the actual credential that you want the Run As Profile to use in the respective User name, Password, and Confirm password boxes. 15. Ensure that the correct domain for the credentials is selected in the Domain list. Click Next. 16. On the Distribution Security page, select the Less secure or More secure option as 27
instructed by your management pack guide. Note that if you choose the Less secure option, the credentials are accessible to the administrators of all recipient computers. For more information about credential distribution security, see Run As Profiles and Run As Accounts in Operations Manager 2007. 17. Click Create 18. On the Run As Account Creation Progress page, when creation is complete, read the warning note, and then click Close. This returns you to the Add a Run As Account page. 19. In the This Run As Account will be used to manage the following objects area select All targeted objects or A selected class, group or object options, per the configuration values in your management pack guide. 20. If the A selected class, group or object box is prepopulated with a value, click OK; otherwise click Select and pick either Class Group, or Object as instructed by the management guide. This opens the respective Class search, Group search, or Object search page. 21. In any of the search tools, type your search or filter criteria, and click Search. The results are displayed in the Available items box. 22. Select the item you want the Run As Account object to be used to manage, and then click OK. 23. Click OK. This returns you to the Run As Accounts page in the Run As Profile Wizard. 24. If you want to add additional Run As Accounts, click Add again and repeat steps 10 through 23; otherwise click Create. Note This procedure assumes that you selected the More secure option and presents the remaining steps in order. If you are selected the Less secure option skip to step 29. 25. On the Run As Profile Wizard Completion page you see all the Run As Accounts that were configured with the More secure setting listed as a link. It is now necessary to select each Run As Account one at a time and configure credential distribution. 26. Double-click an account; this opens the Run As Account Properties page to the Distribution tab. You will see your security level selection and the Selected computers displayed. You can edit both from here. 27. Click Add for the Selected computers box and do the following: a. Select Search by computer name (Default) or Show suggested computers, or Show management servers. b. Optionally type in a value in the Filter by: (Optional) box. c. Click Search. The result set is returned in the Available items box. d. Select the computers you want from the result set, and click Add. This adds the selected computers to the Selected objects box. 28
e. Click OK. 28. Click OK. This returns you to the Completion page of the Run As Profile Wizard. A green checkmark appears next to the accounts that you have successfully completed distribution configuration for. 29. Click Close.
See Also
How to Create a Run As Account in Operations Manager 2007 How to Modify an Existing Run As Profile
29
Authentication and Data Encryption for Windows Computers in Operations Manager 2007
Operations Manager 2007 consists of components such as the root management server, management server, gateway server, Reporting Server, Operations Manager database, Reporting data warehouse, agent, Web console, and Operations console. This section explains how authentication is performed and identifies connection channels where the data is encrypted.
Certificate-Based Authentication
When an Operations Manager agent and management server are separated by either an untrusted forest or workgroup boundary, certificate-based authentication will need to be implemented. The following sections provide information about these situations and specific procedures for obtaining and installing certificates from Windows-based certification authorities.
Setting Up Communication Between Agents and Management Servers Within the Same Trust Boundary
An agent and the management server use Windows authentication to mutually authenticate with each other before the management server accepts data from the agent. The Kerberos version 5 protocol is the default method for providing authentication. In order for Kerberos-based mutual authentication to function, the agents and management server must be installed in an Active Directory domain. If an agent and a management server are in separate domains, full trust must exist between the domains. In this scenario, after mutual authentication has taken place, the data channel between the agent and the management server is encrypted. No user intervention is required for authentication and encryption to take place.
Setting Up Communication Between Agents and Management Servers Across Trust Boundaries
An agent (or agents) might be deployed into a domain (domain B) separate from the management server (domain A), and no two-way trust might exist between the domains. Because there is no trust between the two domains, the agents in one domain cannot authenticate with the management server in the other domain using the Kerberos protocol. Mutual authentication between the Operations Manager 2007 components within each domain still occurs. A solution to this situation is to install a gateway server in the same domain where the agents reside, and then install certificates on the gateway server and the management server to achieve mutual authentication and data encryption. The use of the gateway server means you need only one certificate in domain B and only one port through the firewall, as shown in the following illustration.
30
For more information, see the following topics in this security guide: How to Obtain a Certificate Using Windows Server 2003 Enterprise CA in Operations Manager 2007 How to Obtain a Certificate Using Windows Server 2003 Stand-Alone CA in Operations Manager 2007 How to Obtain a Certificate Using Windows Server 2008 Enterprise CA in Operations Manager 2007 How to Obtain a Certificate Using Windows Server 2008 Stand-Alone CA in Operations Manager 2007
31
Perform the following steps on both the computer hosting the agent and the management server using the same certification authority (CA) for each: y y y y Request certificates from the CA. Approve the certificate requests on the CA. Install the approved certificates in the computer certificate stores. Use the MOMCertImport tool to configure Operations Manager 2007.
These are the same steps for installing certificates on a gateway server, except you do not install or run the gateway approval tool. For more information, see the following topics in this security guide: How to Obtain a Certificate Using Windows Server 2003 Enterprise CA in Operations Manager 2007 How to Obtain a Certificate Using Windows Server 2003 Stand-Alone CA in Operations Manager 2007 How to Obtain a Certificate Using Windows Server 2008 Enterprise CA in Operations Manager 2007 How to Obtain a Certificate Using Windows Server 2008 Stand-Alone CA in Operations Manager 2007
Information
OpsMgr Connector
20053
The OpsMgr Connector has loaded the specified authentication certificate successfully.
32
During the setup of a certificate, you run the MOMCertImport tool. When the MOMCertImport tool has finished, the serial number of the certificate that you imported is written to the registry at the following subkey. Caution Incorrectly editing the registry can severely damage your system. Before making changes to the registry, you should back up any valued data on the computer. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Operations Manager\3.0\Machine Settings
Authentication and Data Encryption Between Root Management Server, Management Server, Gateway Server, and Agents
Communication among these Operations Manager components begins with mutual authentication. If certificates are present on both ends of the communications channel, then certificates will be used for mutual authentication; otherwise, the Kerberos version 5 protocol is used. If any two components are separated across an untrusted domain, mutual authentication must be performed using certificates. Normal communications, such as events, alerts, and deployment of a management pack, occur over this channel. The previous illustration shows an example of an alert being generated on one of the agents that is routed to the root management server (RMS). From the agent to the gateway server, the Kerberos security package is used to encrypt the data, because the gateway server and the agent are in the same domain. The alert is decrypted by the gateway server and reencrypted using certificates for the management server. After the management server receives the alert, the management server decrypts the message, re-encrypts it using the Kerberos protocol, and sends it to the RMS where the RMS decrypts the alert. Some communication between the RMS and the agent may include credential information; for example, configuration data and tasks. The data channel between the agent and the management server adds another layer of encryption in addition to the normal channel encryption. No user intervention is required.
SecureStorageBackup tool, see the topic How to Backup and Restore Encryption Keys in Operations Manager 2007 (http://go.microsoft.com/fwlink/?LinkId=87387). For information about recovering from disasters involving the loss of the root management server with or without the backup of the encryption key, see the Knowledge Base article titled The Root Management Server encryption key is unavailable after you replace or reinstall the Root Management Server server in Microsoft System Center Operations Manager 2007 (http://go.microsoft.com/fwlink/?LinkId=112310).
Root Management Server and Operations Console, Web Console Server, and Reporting Server
Authentication and data encryption between the root management server (RMS) and the Operations console, Web console server, or Reporting Server is accomplished by using Windows Communication Foundation (WCF) technology (formerly code-named "Indigo"). The initial attempt at authentication is made by using the user's credentials. The Kerberos protocol is attempted first. If the Kerberos protocol does not work, another attempt is made using NTLM. If authentication still fails, the user is prompted to provide credentials. After authentication has taken place, the data stream is encrypted as a function of either the Kerberos protocol or SSL, if NTLM is used. In the case of a Reporting Server and an RMS, after authentication has occurred, a data connection is established between the RMS and SQL Server Reporting Server. This is accomplished by strictly using the Kerberos protocol; therefore, the RMS and Reporting Server must reside in trusted domains. For more information about WCF, see the MSDN article What Is Windows Communication Foundation? (http://go.microsoft.com/fwlink/?LinkId=87429).
connect to the Reporting data warehouse using SQL Server Authentication. To do this, create a new Run As Account (of Simple Account type) with the SQL account credential and make it a member of the Run As Profile called Data Warehouse SQL Server Authentication Account, with the management server as the target computer. Important By default, the Run As Profile, Data Warehouse SQL Server Authentication Account was assigned a special account through the use of the Run As Account of the same name. Never make any changes to the account that is associated with the Run As Account, Data Warehouse SQL Server Authentication Account. Instead, create your own account and your own Run As Account and make the Run As Account a member of the Run As Profile, Data Warehouse SQL Server Authentication Account when configuring SQL Server Authentication. The following outlines the relationship of the various account credentials, Run As Accounts, and Run As Profiles for both Windows Integrated Authentication and SQL Server Authentication. Default: Windows Integrated Authentication Run As Profile: Data Warehouse Account Run As Account: Data Warehouse Action Account Credentials: Data Writer Account (specified during setup) Run As Profile: Data Warehouse SQL Server Authentication Account Run As Account: Data Warehouse SQL Server Authentication Account Credentials: Special account created by Operations Manager (do not change) Optional: SQL Server Authentication Run As Profile: Data Warehouse SQL Server Authentication Account Run As Account: A Run As Account you create. Credentials: An account you create.
The System Center Data Access Service or the SDK Service, and Reporting Data Warehouse
The SDK service found in Operations Manager 2007 SP1 is renamed to the System Center Data Access service in Operations Manager 2007 R2. By default, the System Center Data Access service, or SDK service, which is responsible for reading data from the Reporting data warehouse and making it available in the Report Parameter Area, achieves Windows Integrated Authentication by running as the SDK and Config account that was defined during setup of Operations Manager 2007. If the Reporting data warehouse and the management server are separated by a trust boundary (for example, each resides in different domains with no trust), then Windows Integrated Authentication would not work. To work around this situation, the System Center Data Access service or SDK service can connect to the Reporting data warehouse using SQL Server Authentication. To do this, create a new Run As Account (of Simple Account type) with the SQL 35
account credential and make it a member of the Run As Profile called Reporting SDK SQL Server Authentication Account with the management server as the target computer. Important By default, the Run As Profile, Reporting SDK SQL Server Authentication Account was assigned a special account through the use of the Run As Account of the same name. Never make any changes to the account that is associated with the Run As Account, Reporting SDK SQL Server Authentication Account. Instead, create your own account and your own Run As Account, and make the Run As Account a member of the Run As Profile, Reporting SDK SQL Server Authentication Account when configuring SQL Server Authentication. The following outlines the relationship of the various account credentials, Run As Accounts, and Run As Profiles for both Windows Integrated Authentication and SQL Server Authentication. Default: Windows Integrated Authentication SDK and Config Service Account (defined during setup of Operations Manager) Run As Profile: Reporting SDK SQL Server Authentication Account Run As Account: Reporting SDK SQL Server Authentication Account Credentials: Special account created by Operations Manager (do not change) Optional: SQL Server Authentication Run As Profile: Data Warehouse SQL Server Authentication Account Run As Account: A Run As Account you create. Credentials: An account you create.
36
See Also
How to Change the Reporting Server Execution Account Password in Operations Manager 2007 How to Configure the Operations Console to Use SSL When Connecting to a Reporting Server in Operations Manager 2007 How to Obtain a Certificate Using Windows Server 2003 Enterprise CA in Operations Manager 2007 How to Obtain a Certificate Using Windows Server 2003 Stand-Alone CA in Operations Manager 2007 How to Obtain a Certificate Using Windows Server 2008 Enterprise CA in Operations Manager 2007 How to Obtain a Certificate Using Windows Server 2008 Stand-Alone CA in Operations Manager 2007 How to Remove Certificates Imported with MOMCertImport in Operations Manager 2007
How to Configure the Operations Console to Use SSL When Connecting to a Reporting Server in Operations Manager 2007
Before you can configure the Operations console to use SSL when connecting to a Reporting Server, you must first install an SSL certificate on IIS and then configure the Operations console to use SSL. On the Reporting Server, start Internet Information Services (IIS) Manager to request and install an SSL certificate. For more information about how to implement SSL in IIS, see the Knowledge Base article How to implement SSL in IIS (http://go.microsoft.com/fwlink/?LinkId=87862). Use the following procedure to configure the Operations console to use SSL. To configure the Operations Console to use SSL 1. Log on to the computer with an account that is a member of the Operations Manager Administrators role for the Operations Manager 2007 management group. 2. In the Operations console, click the Administration button. Note When you run the Operations console on a computer that is not a management server, the Connect To Server dialog box displays. In the Server name text box, type the name of the Operations Manager 2007 management server that you want the Operations console to connect to. 3. In the Administration pane, expand Administration, expand Device Management, and then click Settings. 4. In the Settings pane, right-click Reporting, and then click Properties. 5. In the General tab, under Reporting Server Settings, click the Reporting server URL drop-down list and select https://. 37
6. Edit the URL by replacing :80 with :443, and then click OK.
See Also
How to Obtain a Certificate Using Windows Server 2003 Enterprise CA in Operations Manager 2007 How to Obtain a Certificate Using Windows Server 2003 Stand-Alone CA in Operations Manager 2007 How to Remove Certificates Imported with MOMCertImport in Operations Manager 2007
How to Obtain a Certificate Using Windows Server 2003 Enterprise CA in Operations Manager 2007
The following procedures provide the steps for obtaining a certificate from an enterprise certification authority (CA) by using Certificate Services, which is a feature in Windows 2000 Server and Windows Server 2003. To obtain a certificate in this manner, you must do the following: y y y y y Download the Trusted Root (CA) certificate. Import the Trusted Root (CA) certificate. Create a certificate template. Request a certificate from the enterprise CA. Import the certificate into Operations Manager. To download the Trusted Root (CA) certificate 1. Log on to the computer where you installed a certificate; for example, the gateway server or management server. 2. Start Internet Explorer, and connect to the computer hosting Certificate Services; for example, https://<servername>/certsrv. 3. On the Welcome page, click Download a CA Certificate, certificate chain, or CRL. 4. On the Download a CA Certificate, Certificate Chain, or CRL page, click Encoding method, click Base 64, and then click Download CA certificate chain. 5. In the File Download dialog box, click Save, and save the certificate; for example Trustedca.p7b. 6. When the download has finished, close Internet Explorer. To import the Trusted Root (CA) Certificate 1. On the Windows desktop, click Start, and then click Run. 2. In the Run dialog box, type mmc, and then click OK. 3. In the Console1 window, click File, and then click Add/Remove Snap-in. 38
4. In the Add/Remove Snap-in dialog box, click Add. 5. In the Add Standalone Snap-in dialog box, click Certificates, and then click Add. 6. In the Certificates snap-in dialog box, select Computer account, and then click Next. 7. In the Select Computer dialog box, ensure that Local computer: (the computer this console is running on) is selected, and then click Finish. 8. In the Add Standalone Snap-in dialog box, click Close. 9. In the Add/Remove Snap-in dialog box, click OK. 10. In the Console1 window, expand Certificates (Local Computer), expand Trusted Root Certification Authorities, and then click Certificates. 11. Right-click Certificates, select All Tasks, and then click Import. 12. In the Certificate Import Wizard, click Next. 13. On the File to Import page, click Browse and select the location where you downloaded the CA certificate file, for example, TrustedCA.p7b, select the file, and then click Open. 14. On the File to Import page, select Place all certificates in the following store and ensure that Trusted Root Certification Authorities appears in the Certificate store box, and then click Next. 15. On the Completing the Certificate Import Wizard page, click Finish. To create a certificate template 1. On the computer that is hosting your enterprise CA, on the Windows desktop, click Start, point to Programs, point to Administrative Tools, and then click Certification Authority. 2. In the navigation pane, expand the CA name, right-click Certificate Templates, and then click Manage. 3. In the Certificate Templates console, in the results pane, right-click IPSec (Offline request), and then click Duplicate Template. 4. In the Properties of New Template dialog box, on the General tab, in the Template display name text box, type a new name for this template (for example, OperationsManagerCert). 5. On the Request Handling tab, select Allow private key to be exported, and then click CSPs. 6. In the CSP Selection dialog box, select the cryptographic service provider that best suits your business needs, and then click OK. Note Windows 2000 Server will work with Microsoft Enhanced Cryptographic Provider 1.0. Windows Server 2003 and Windows XP will work with Microsoft RSA SChannel Cryptographic Provider. 7. Click the Extensions tab, and in Extensions included in this template, click 39
Application Policies, and then click Edit. 8. In the Edit Application Policies Extension dialog box, click IP security IKE intermediate, and then click Remove. 9. Click Add, and in the Application policies list, hold down the CTRL key to multi-select items from the list, click Client Authentication and Server Authentication, and then click OK. 10. In the Edit Application Policies Extension dialog box, click OK. 11. Click the Security tab, ensure that the Authenticated Users group has Read and Enroll permissions, and then click OK. To add the template to the Certificate Templates folder 1. Within the Certification Authority snap-in, right-click the Certificate Templates folder, point to New, and then click Certification Template to Issue. 2. In the Enable Certificate Templates box, select the certificate template that you created, and then click OK. To request a certificate from an enterprise CA 1. Log on to the computer where you want to install a certificate (for example, gateway server or management server). 2. Start Internet Explorer, and connect to the computer hosting Certificate Services (for example, http://<servername>/certsrv). 3. On the Microsoft Certificate Services Welcome page, click Request a certificate. 4. On the Request a Certificate page, click Or, submit an advanced certificate request. 5. On the Advanced Certificate Request page, click Create and submit a request to this CA. 6. On the Advanced Certificate Request page, do the following: a. Under Certificate Template, select the name of the template you created (for example, OperationsManagerCert). b. Under Identifying Information For Offline Template, in the Name field, enter a unique name; for example, the fully qualified domain name (FQDN) of the computer you are requesting the certificate for. For the rest of the fields, enter the appropriate information. Note Event ID 20052 of type Error is generated if the FQDN entered into the Name field does not match the computer name. c. Under Key Options, click Create a new key set; in the CSP field, select the cryptographic service provider that bests suits your business needs; under Key Size, select a key size that bests suits your business needs; select Automatic key container name; ensure that Mark keys as exportable is selected; clear Export 40
keys to file; clear Enable strong private key protection; and then click Store certificate in the local computer certificate store. Note Windows 2000 Server will work with Microsoft Enhanced Cryptographic Provider 1.0. Windows Server 2003 and Windows XP will work with Microsoft RSA SChannel Cryptographic Provider. d. Under Additional Options, under Request Format, select CMC; in the Hash Algorithm list, select SHA-1; clear Save request to a file; and then in the Friendly Name field, enter the FQDN of the computer that you are requesting the certificate for. e. Click Submit. f. If a Potential Scripting Violation message is displayed, click Yes. g. On the Certificate Issued page, click Install this certificate. h. If a Potential Scripting Violation dialog box is displayed, click Yes. i. On the Certificate Installed page, when you see the message that Your new certificate has been successfully installed, close the browser.
To import certificates using MOMCertImport 1. Log on to the computer with an account that is a member of the Administrators group. 2. On the Windows desktop, click Start, and then click Run. 3. In the Run dialog box, type cmd and then click OK. 4. At the command prompt, type <drive_letter>: (where <drive_letter> is the drive where the Operations Manager 2007 installation media is located), and then press ENTER. 5. Type cd\SupportTools\i386 and then press ENTER. Note On 64-bit computers, type cd\SupportTools\amd64 6. Type the following: MOMCertImport /SubjectName <Certificate Subject Name> 7. Press ENTER.
See Also
How to Configure the Operations Console to Use SSL When Connecting to a Reporting Server in Operations Manager 2007 How to Obtain a Certificate Using Windows Server 2003 Stand-Alone CA in Operations Manager 2007 How to Obtain a Certificate Using Windows Server 2008 Enterprise CA in Operations Manager 2007 41
How to Obtain a Certificate Using Windows Server 2008 Stand-Alone CA in Operations Manager 2007 How to Remove Certificates Imported with MOMCertImport in Operations Manager 2007
How to Obtain a Certificate Using Windows Server 2003 StandAlone CA in Operations Manager 2007
The following procedures provide the steps for obtaining a certificate from an enterprise certification authority (CA) by using Certificate Services, which is a feature in Windows 2000 Server and Windows Server 2003. To obtain a certificate in this manner, you must: Perform the following procedures: y y y y Download the Trusted Root (CA) certificate. Import the Trusted Root (CA) certificate Request a certificate from a stand-alone CA. Approve the pending certificate request. If your Certificate Services has been configured to auto-approve certificates, proceed to the next procedure, which is retrieving the certificate. Otherwise, the CA administrator needs to issue the certificate by using the Retrieve the certificate procedure. Retrieve the certificate. Using the MOMCertImport utility, import the certificate into Operations Manager. To download the Trusted Root (CA) certificate 1. Log on to the computer where you installed a certificate; for example, the gateway server or management server. 2. Start Internet Explorer, and connect to the computer hosting Certificate Services; for example, https://<servername>/certsrv. 3. On the Welcome page, click Download a CA Certificate, certificate chain, or CRL. 4. On the Download a CA Certificate, Certificate Chain, or CRL page, click Encoding method, click Base 64, and then click Download CA certificate chain. 5. In the File Download dialog box, click Save, and save the certificate; for example, Trustedca.p7b. 6. When the download has finished, close Internet Explorer. To import the Trusted Root (CA) Certificate 1. On the Windows desktop, click Start, and then click Run. 2. In the Run dialog box, type mmc, and then click OK. 3. In the Console1 window, click File, and then click Add/Remove Snap-in. 4. In the Add/Remove Snap-in dialog box, click Add. 5. In the Add Standalone Snap-in dialog box, click Certificates, and then click Add. 42
y y
6. In the Certificates snap-in dialog box, select Computer account, and then click Next. 7. In the Select Computer dialog box, ensure that Local computer: (the computer this console is running on) is selected, and then click Finish. 8. In the Add Standalone Snap-in dialog box, click Close. 9. In the Add/Remove Snap-in dialog box, click OK. 10. In the Console1 window, expand Certificates (Local Computer), expand Trusted Root Certification Authorities, and then click Certificates. 11. Right-click Certificates, select All Tasks, and then click Import. 12. In the Certificate Import Wizard, click Next. 13. On the File to Import page, click Browse and select the location where you downloaded the CA certificate file, for example, TrustedCA.p7b, select the file, and then click Open. 14. On the File to Import page, select Place all certificates in the following store and ensure that Trusted Root Certification Authorities appears in the Certificate store box, and then click Next. 15. On the Completing the Certificate Import Wizard page, click Finish. To request a certificate from a stand-alone CA 1. Log on to the computer where you want to install a certificate (for example, the gateway server or management server). 2. Start Internet Explorer, and then connect to the computer hosting Certificate Services (for example, http://<servername>/certsrv). 3. On the Microsoft Certificate Services Welcome page, click Request a certificate. 4. On the Request a Certificate page, click Or, submit an advanced certificate request. 5. On the Advanced Certificate Request page, click Create and submit a request to this CA. 6. On the Advanced Certificate Request page, do the following: a. Under Identifying Information, in the Name field, enter a unique name, for example, the fully qualified domain name (FQDN) of the computer you are requesting the certificate for. For the remaining fields, enter the appropriate information. Note Event ID 20052 of type Error is generated if the FQDN entered into the Name field does not match the computer name. b. Under Type of Certificate Needed: Click the list, and then select Other. In the OID field, enter 1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 c. Under Key Options, make the following selections: Click Create a new key set 43
In the CSP field, select Microsoft Enhanced Cryptographic Provider v1.0 Under Key Usage, select Both Under Key Size, select 1024 Select Automatic key container name Select Mark keys as exportable Clear Export keys to file (not required for Windows Server 2008 AD CS) Clear Enable strong private key protection Click Store certificate in the local computer certificate store. d. Under Additional Options: Under Request Format, select CMC In the Hash Algorithm list, select SHA-1 Clear Save request to a file In the Friendly Name field, enter the FQDN of the computer that you are requesting the certificate for. e. Click Submit. f. If a Potential Security Violation dialog box is displayed, click Yes. g. When a Certificate Pending page displays, close the browser. To approve the pending certificate request 1. Log on to the computer hosting Certificate Services as a certification authority administrator. 2. On the Windows desktop, click Start, point to Programs, point to Administrative Tools, and then click Certification Authority. 3. In Certification Authority, expand the node for your certification authority name, and then click Pending Requests. 4. In the results pane, right-click the pending request from the previous procedure, point to All Tasks, and then click Issue. 5. Click Issued Certificates, and confirm the certificate you just issued is listed. 6. Close Certification Authority. To retrieve the certificate 1. Log on to the computer where you want to install a certificate (for example, the gateway server or management server). 2. Start Internet Explorer, and connect to the computer hosting Certificate Services (for example, http://<servername>/certsrv). 3. On the Microsoft Certificate Services Welcome page, click View the status of a pending certificate request. 44
4. On the View the Status of a Pending Certificate Request page, click the certificate you requested. 5. On the Certificate Issued page, click Install this certificate. 6. In the Potential Scripting Violation dialog box, click Yes. 7. On the Certificate Installed page, after you see the message that Your new certificate has been successfully installed, close the browser. To import certificates using MOMCertImport 1. Log on to the computer with an account that is a member of the Administrators group. 2. On the Windows desktop, click Start, and then click Run. 3. In the Run dialog box, type cmd, and then click OK. 4. At the command prompt, type <drive_letter>: (where <drive_letter> is the drive where the Operations Manager 2007 installation media is located), and then press ENTER. 5. Type cd\SupportTools\i386, and then press ENTER. Note On 64-bit computers, type cd\SupportTools\amd64 6. Type the following: MOMCertImport 7. In the Select Certificate dialog box, select the certificate you retrieved in the previous section, and then click OK. Note To help you select the correct certificate if more than one certificate is displayed, select the certificate for which the intended purposes are listed as Server Authentication, Client Authentication and the certificate where the friendly name matches the friendly name you defined above in step 6d in the procedure To request a certificate from a stand-alone CA. 8. In the command dialog box, the message Successfully installed the certificate. Please check Operations Manager log in event viewer to check channel connectivity will be displayed.
See Also
How to Configure the Operations Console to Use SSL When Connecting to a Reporting Server in Operations Manager 2007 How to Obtain a Certificate Using Windows Server 2003 Enterprise CA in Operations Manager 2007 How to Obtain a Certificate Using Windows Server 2008 Enterprise CA in Operations Manager 2007
45
How to Obtain a Certificate Using Windows Server 2008 Stand-Alone CA in Operations Manager 2007 How to Remove Certificates Imported with MOMCertImport in Operations Manager 2007
How to Obtain a Certificate Using Windows Server 2008 Enterprise CA in Operations Manager 2007
Use the procedures in this topic to obtain a certificate from Windows Server 2008 computer hosting Enterprise Root Active Directory Certificate Services (AD CS). You will use the CertReq command-line utility to request and accept a certificate, and you will use a Web interface to submit and retrieve your certificate. It is assumed that you have AD CS installed, an HTTPS binding has been created, and its associated certificate has been installed. Information about creating an HTTPS binding is available in the topic How to Configure an HTTPS Binding for a Windows Server 2008 CA. Important The content for this topic is based on the default settings for Windows Server 2008 AD CS; for example, setting the key length to 2048, selecting Microsoft Software Key Storage Provider as the CSP, and using Secure Hash Algorithm 1 (SHA1). Evaluate these selections against the requirements of your companys security policy. The high-level process to obtain a certificate from an Enterprise certification authority (CA) is as follows: 1. Download the Trusted Root (CA) certificate. 2. Import the Trusted Root (CA) certificate. 3. Create a certificate template. 4. Add the template to the Certificate Templates folder. 5. Create a setup information file for use with the CertReq command-line utility. 6. Create a request file. 7. Submit a request to the CA. 8. Import the certificate into the certificate store. 9. Import the certificate into Operations Manager using MOMCertImport. To download the Trusted Root (CA) certificate 1. Log on to the computer where you installed a certificate; for example, the gateway server or management server. 2. Start Internet Explorer, and connect to the computer hosting Certificate Services; for example, https://<servername>/certsrv. 3. On the Welcome page, click Download a CA Certificate, certificate chain, or CRL. 4. On the Download a CA Certificate, Certificate Chain, or CRL page, click Encoding method, click Base 64, and then click Download CA certificate chain. 46
5. In the File Download dialog box, click Save and save the certificate; for example, Trustedca.p7b. 6. When the download has finished, close Internet Explorer. To import the Trusted Root (CA) Certificate 1. On the Windows desktop, click Start, and then click Run. 2. In the Run dialog box, type mmc, and then click OK. 3. In the Console1 window, click File, and then click Add/Remove Snap-in. 4. In the Add/Remove Snap-in dialog box, click Add. 5. In the Add Standalone Snap-in dialog box, click Certificates, and then click Add. 6. In the Certificates snap-in dialog box, select Computer account, and then click Next. 7. In the Select Computer dialog box, ensure that Local computer: (the computer this console is running on) is selected, and then click Finish. 8. In the Add Standalone Snap-in dialog box, click Close. 9. In the Add/Remove Snap-in dialog box, click OK. 10. In the Console1 window, expand Certificates (Local Computer), expand Trusted Root Certification Authorities, and then click Certificates. 11. Right-click Certificates, select All Tasks, and then click Import. 12. In the Certificate Import Wizard, click Next. 13. On the File to Import page, click Browse and select the location where you downloaded the CA certificate file, for example, TrustedCA.p7b, select the file, and then click Open. 14. On the File to Import page, select Place all certificates in the following store and ensure that Trusted Root Certification Authorities appears in the Certificate store box, and then click Next. 15. On the Completing the Certificate Import Wizard page, click Finish. To create a certificate template 1. On the computer that is hosting your enterprise CA, on the Windows desktop, click Start, point to Programs, point to Administrative Tools, and then click Certification Authority. 2. In the navigation pane, expand the CA name, right-click Certificate Templates, and then click Manage. 3. In the Certificate Templates console, in the results pane, right-click IPSec (Offline request), and then click Duplicate Template. 4. In the Duplicate Template dialog box, select Windows Server 2003 Enterprise Edition, and then click OK. Note The option for Windows Server 2008 Enterprise Edition is not supported at 47
this time. 5. In the Properties of New Template dialog box, on the General tab, in the Template display name text box, type a new name for this template; for example, OperationsManagerCert. 6. On the Request Handling tab, select Allow private key to be exported. 7. Click the Extensions tab, and in Extensions included in this template, click Application Policies, and then click Edit. 8. In the Edit Application Policies Extension dialog box, click IP security IKE intermediate, and then click Remove. 9. Click Add, and in the Application policies list, hold down the CTRL key to multi-select items from the list, click Client Authentication and Server Authentication, and then click OK. 10. In the Edit Application Policies Extension dialog box, click OK. 11. Click the Security tab and ensure that the Authenticated Users group has Read and Enroll permissions, and then click OK. 12. Close the Certificate Templates console. To add the template to the Certificate Templates folder 1. On the computer that is hosting your Enterprise CA, in the Certification Authority snap-in, right-click the Certificate Templates folder, point to New, and then click Certification Template to Issue. 2. In the Enable Certificate Templates box, select the certificate template that you created; for example, click OperationsManagerCert, and then click OK. To create a setup information (.inf) file 1. On the computer hosting the Operations Manager component for which you are requesting a certificate, click Start, and then click Run. 2. In the Run dialog box, type Notepad, and then click OK. 3. Create a text file containing the following content: [NewRequest] Subject="CN=<FQDN of computer you are creating the certificate, for example, the gateway server or management server.>" Exportable=TRUE KeyLength=2048 KeySpec=1 KeyUsage=0xf0 MachineKeySet=TRUE [EnhancedKeyUsageExtension] 48
OID=1.3.6.1.5.5.7.3.1 OID=1.3.6.1.5.5.7.3.2 4. Save the file with an .inf file name extension; for example, RequestConfig.inf. 5. Close Notepad. To create a request file to use with an enterprise CA 1. On the computer hosting the Operations Manager component for which you are requesting a certificate, click Start, and then click Run. 2. In the Run dialog box, type cmd, and then click OK. 3. In the command window, type CertReq New f RequestConfig.inf CertRequest.req, and then press ENTER. 4. Using Notepad, open the resulting file (for example, CertRequest.req), and copy the contents of this file into the clipboard. To submit a request to an enterprise CA 1. On the computer hosting the Operations Manager component for which you are requesting a certificate, start Internet Explorer, and then connect to the computer hosting Certificate Services; for example, https://<servername>/certsrv. Note If an HTTPS binding has not been configured on the Certificate Services Web site, the browser will fail to connect. See the topic How to Configure an HTTPS Binding for a Windows Server 2008 CA in this guide. 2. On the Microsoft Active Directory Certificate Services Welcome screen, click Request a certificate. 3. On the Request a Certificate page, click advanced certificate request. 4. On the Advanced Certificate Request page, click Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file. 5. On the Submit a Certificate Request or Renewal Request page, in the Saved Request text box, paste the contents of the CertRequest.req file that you copied in step 4 in the previous procedure. 6. In the Certificate Template select the certificate template that you created, for example, OperationsManagerCert, and then click Submit. 7. On the Certificate Issued page, select Base 64 encoded, and then click Download certificate. 8. In the File Download Security Warning dialog box, click Save, and save the certificate; for example, save as NewCertificate.cer. 9. Close Internet Explorer. 49
To import the certificate into the certificate store 1. On the computer hosting the Operations Manager component for which you are configuring the certificate, click Start, and then click Run. 2. In the Run dialog box, type cmd, and then click OK. 3. In the command window, type CertReq Accept NewCertifiate.cer, and then press ENTER. To import the certificate into Operations Manager using MOMCertImport 1. Log on to the computer where you installed the certificate with an account that is a member of the Administrators group. 2. On the Windows desktop, click Start, and then click Run. 3. In the Run dialog box, type cmd, and then click OK. 4. At the command prompt, type <drive_letter>: (where <drive_letter> is the drive where the Operations Manager 2007 installation media is located), and then press ENTER. 5. Type cd\SupportTools\i386, and then press ENTER. Note On 64-bit computers, type cd\SupportTools\amd64 6. Type the following: MOMCertImport /SubjectName <Certificate Subject Name> 7. Press ENTER.
See Also
How to Configure the Operations Console to Use SSL When Connecting to a Reporting Server in Operations Manager 2007 How to Obtain a Certificate Using Windows Server 2003 Enterprise CA in Operations Manager 2007 How to Obtain a Certificate Using Windows Server 2003 Stand-Alone CA in Operations Manager 2007 How to Obtain a Certificate Using Windows Server 2008 Stand-Alone CA in Operations Manager 2007 How to Remove Certificates Imported with MOMCertImport in Operations Manager 2007
How to Obtain a Certificate Using Windows Server 2008 StandAlone CA in Operations Manager 2007
Use the procedures in this topic to obtain a certificate from a stand-alone Windows Server 2008 based computer hosting Active Directory Certificate Services (AD CS). You will use the CertReq 50
command-line utility to request and accept a certificate, and you will use a Web interface to submit and retrieve your certificate. It is assumed that you have AD CS installed, an HTTPS binding is being used, and its associated certificate has been installed. Information about creating an HTTPS binding is available in the topic How to Configure an HTTPS Binding for a Windows Server 2008 CA. Important The content for this topic is based on the default settings for Windows Server 2008 AD CS; for example, setting the key length to 2048, selecting Microsoft Software Key Storage Provider as the CSP, and using Secure Hash Algorithm 1 (SHA1). Evaluate these selections against the requirements of your companys security policy. The high-level process to obtain a certificate from a stand-alone certification authority (CA) is as follows: 1. Download the Trusted Root (CA) certificate. 2. Import the Trusted Root (CA) certificate 3. Create a setup information file to use with the CertReq command-line utility. 4. Create a request file. 5. Submit a request to the CA using the request file. 6. Approve the pending certificate request. 7. Retrieve the certificate from the CA. 8. Import the certificate into the certificate store. 9. Import the certificate into Operations Manager using MOMCertImport. To download the Trusted Root (CA) certificate 1. Log on to the computer where you installed a certificate; for example, the gateway server or management server. 2. Start Internet Explorer, and connect to the computer hosting Certificate Services; for example, https://<servername>/certsrv. 3. On the Welcome page, click Download a CA Certificate, certificate chain, or CRL. 4. On the Download a CA Certificate, Certificate Chain, or CRL page, click Encoding method, click Base 64, and then click Download CA certificate chain. 5. In the File Download dialog box, click Save and save the certificate; for example, Trustedca.p7b. 6. When the download has finished, close Internet Explorer. To import the Trusted Root (CA) Certificate 1. On the Windows desktop, click Start, and then click Run. 2. In the Run dialog box, type mmc, and then click OK.
51
3. In the Console1 window, click File, and then click Add/Remove Snap-in. 4. In the Add/Remove Snap-in dialog box, click Add. 5. In the Add Standalone Snap-in dialog box, click Certificates, and then click Add. 6. In the Certificates snap-in dialog box, select Computer account, and then click Next. 7. In the Select Computer dialog box, ensure that Local computer: (the computer this console is running on) is selected, and then click Finish. 8. In the Add Standalone Snap-in dialog box, click Close. 9. In the Add/Remove Snap-in dialog box, click OK. 10. In the Console1 window, expand Certificates (Local Computer), expand Trusted Root Certification Authorities, and then click Certificates. 11. Right-click Certificates, select All Tasks, and then click Import. 12. In the Certificate Import Wizard, click Next. 13. On the File to Import page, click Browse and select the location where you downloaded the CA certificate file, for example, TrustedCA.p7b, select the file, and then click Open. 14. On the File to Import page, select Place all certificates in the following store and ensure that Trusted Root Certification Authorities appears in the Certificate store box, and then click Next. 15. On the Completing the Certificate Import Wizard page, click Finish. To create a setup information (.inf) file 1. On the computer hosting the Operations Manager component for which you are requesting a certificate, click Start, and then click Run. 2. In the Run dialog box, type Notepad, and then click OK. 3. Create a text file containing the following content: [NewRequest] Subject="CN=<FQDN of computer you are creating the certificate, for example, the gateway server or management server.>" Exportable=TRUE KeyLength=2048 KeySpec=1 KeyUsage=0xf0 MachineKeySet=TRUE [EnhancedKeyUsageExtension] OID=1.3.6.1.5.5.7.3.1 OID=1.3.6.1.5.5.7.3.2 4. Save the file with an .inf file name extension, for example, RequestConfig.inf. 5. Close Notepad. 52
To create a request file to use with a stand-alone CA 1. On the computer hosting the Operations Manager component for which you are requesting a certificate, click Start, and then click Run. 2. In the Run dialog box, type cmd, and then click OK. 3. In the command window, type CertReq New f RequestConfig.inf CertRequest.req, and then press ENTER. 4. Open the resulting file (for example, CertRequest.req) with Notepad. Copy the contents of this file onto the clipboard. To submit a request to a stand-alone CA 1. On the computer hosting the Operations Manager component for which you are requesting a certificate, start Internet Explorer, and then connect to the computer hosting Certificate Services (for example, https://<servername>/certsrv). Note If an HTTPS binding has not been configured on the Certificate Services Web site, the browser will fail to connect. See the topic How to Configure an HTTPS Binding for a Windows Server 2008 CA in this guide. 2. On the Microsoft Active Directory Certificate Services Welcome screen, click Request a certificate. 3. On the Request a Certificate page, click advanced certificate request. 4. On the Advanced Certificate Request page, click Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file. 5. On the Submit a Certificate Request or Renewal Request page, in the Saved Request text box, paste the contents of the CertRequest.req file that you copied in step 4 in the previous procedure, and then click Submit. 6. Close Internet Explorer. To approve the pending certificate request 1. Log on as a certification authority administrator to the computer hosting Active Directory Certificate Services. 2. On the Windows desktop, click Start, point to Programs, point to Administrative Tools, and then click Certification Authority. 3. In Certification Authority, expand the node for your certification authority name, and then click Pending Requests. 4. In the results pane, right-click the pending request from the previous procedure, point to All Tasks, and then click Issue.
53
5. Click Issued Certificates, and confirm the certificate you just issued is listed. 6. Close Certification Authority. To retrieve the certificate 1. Log on to the computer where you want to install a certificate; for example, the gateway server or management server. 2. Start Internet Explorer, and connect to the computer hosting Certificate Services (for example, https://<servername>/certsrv). 3. On the Microsoft Active Directory Certificate Services Welcome page, click View the status of a pending certificate request. 4. On the View the Status of a Pending Certificate Request page, click the certificate you requested. 5. On the Certificate Issued page, select Base 64 encoded, and then click Download certificate. 6. In the File Download Security Warning dialog box, click Save, and save the certificate; for example, as NewCertificate.cer. 7. On the Certificate Installed page, after you see the message that Your new certificate has been successfully installed, close the browser. 8. Close Internet Explorer. To import the certificate into the certificate store 1. On the computer hosting the Operations Manager component for which you are configuring the certificate, click Start, and then click Run. 2. In the Run dialog box, type cmd, and then click OK. 3. In the command window, type CertReq Accept NewCertifiate.cer, and then press ENTER. To import the certificate into Operations Manager using MOMCertImport 1. Log on to the computer where you installed the certificate with an account that is a member of the Administrators group. 2. On the Windows desktop, click Start, and then click Run. 3. In the Run dialog box, type cmd, and then click OK. 4. At the command prompt, type <drive_letter>: (where <drive_letter> is the drive where the Operations Manager 2007 installation media is located), and then press ENTER. 5. Type cd\SupportTools\i386, and then press ENTER. Note On 64-bit computers, type cd\SupportTools\amd64 6. Type the following: 54
See Also
How to Configure the Operations Console to Use SSL When Connecting to a Reporting Server in Operations Manager 2007 How to Obtain a Certificate Using Windows Server 2003 Enterprise CA in Operations Manager 2007 How to Obtain a Certificate Using Windows Server 2003 Stand-Alone CA in Operations Manager 2007 How to Obtain a Certificate Using Windows Server 2008 Enterprise CA in Operations Manager 2007 How to Remove Certificates Imported with MOMCertImport in Operations Manager 2007
See Also
How to Configure the Operations Console to Use SSL When Connecting to a Reporting Server in Operations Manager 2007 How to Obtain a Certificate Using Windows Server 2003 Enterprise CA in Operations Manager 2007
55
How to Obtain a Certificate Using Windows Server 2003 Stand-Alone CA in Operations Manager 2007
For example, the Run As Profile named Data Warehouse SQL Server Authentication Account has the Run As Account named Data Warehouse SQL Server Authentication Account associated with it. As an example, you can use the following procedure to change the Run As Account associated with the Run As Profile called Data Warehouse SQL Server Authentication Account. It is assumed that the new Run As Account that you want to associate with this Run As Profile has already been created. For more information about Run As Accounts and Run As Profiles, see the topic How to Administer Security Roles, Accounts, and Profiles in Operations Manager 2007 (http://go.microsoft.com/fwlink/?LinkId=88131). To change the Run As Account associated with a Run As Profile 1. Log on to the computer with an account that is a member of the Operations Manager Administrators role for the Operations Manager 2007 management group. 2. In the Operations console, click the Administration button. Note When you run the Operations console on a computer that is not a management server, the Connect To Server dialog box displays. In the Server name text box, type the name of the Operations Manager 2007 management server that you want the Operations console to connect to. 3. In the Administration pane, expand Administration, expand Security, and then click Run As Profiles. 4. In the Run As Profiles pane, right-click Data Warehouse SQL Server Authentication Account, and then click Properties. 5. In the Run As Profile - Data Warehouse SQL Server Authentication Account dialog box, and then click the Run As Accounts tab. 6. Under Run As Accounts, click the target computer, and then click Edit. 7. In the Edit Alternate Run As Account dialog box, click the Run As Account list, select the new Run As Account that you want to associate with this Run As Profile, and then 56
click OK. 8. In the Run As Profile - Data Warehouse SQL Server Authentication Account dialog box, click OK.
Authentication and Data Encryption for UNIX and Linux Operating Systems
With Operations Manager 2007 R2, you can deploy agents to UNIX-based or Linux-based computers. In such an environment, Kerberos authentication is not possible. Therefore, certificates are used between the management server and the UNIX-based or Linux-based computers. In this scenario, the certificates are self-signed by the management server. (Although it is possible to use third-party certificates, they are not needed.)
57
There are two methods you can use to deploy agents. You can use the Discovery Wizard or you can manually install an agent. Of these two methods, manually installing an agent is the more secure option. When you use the Discovery Wizard to push agents to UNIX-based or Linuxbased computers, you trust that the computer that you are deploying to is really the computer that you think it is. When you use the Discovery Wizard to deploy agents, it involves greater risk than when you deploy to computers on the public network or in a DMZ. In this section of the Security Guide, we will discuss how to manually deploy an agent to a UNIX-based or Linux-based computer. When you use the Discovery Wizard to deploy an agent, the Discovery Wizard performs the following functions: Deployment The Discovery Wizard copies the agent package to the UNIX-based or Linux-based computer and then starts the installation process. Operations Manager retrieves the certificate from the agent, signs the certificate, deploys the certificate back to the agent, and then restarts the agent. The Discovery Wizard discovers the computer and tests to see that the certificate is valid. If the Discovery Wizard verifies that the computer can be discovered and that the certificate is valid, the Discovery Wizard adds the newly discovered computer to the Operations Manager database.
Certificate Signing
Discovery
When you manually deploy an agent, you perform the first two steps that are typically handled by the Discovery Wizard, deployment and certificate signing. Then, you use the Discovery Wizard to add the computer to the Operations Manager database. If there are existing certificates on the system, they are reused during agent installation. New certificates are not created. Certificates are not automatically deleted when you uninstall an agent. You must manually delete the certificates that are listed in the /etc/opt/microsoft/scx/ssl folder. To regenerate the certificates at install, you must remove this folder before agent installation. Hash values for the agent binaries are available in Appendix B - List of Hash Values for UNIX and Linux Agents in this guide. For instructions on how to manually deploy an agent, see the Manually Installing Cross-platform Agents topic in the Operations Manager 2007 R2 Operations Guide (http://go.microsoft.com/fwlink/?LinkID=146211), and then use the following procedure to install the certificates. 58
you want to add. 6. In the Credentials area, type the username and password of a valid account, and then click OK. 7. On the Discovery Method page, make sure that Enable SSH based discovery is not selected; if it is necessary, select the management server that you used to sign the certificate, and then click Discover. 8. On the Select Computers to Manage page, select the computer, and then click Next. 9. On the Summary page, click Done.
server), the Reporting Server, and the Reporting data warehouse, as shown in the following illustration.
61
The account that was specified as the Data Reader Account during setup of Reporting becomes the Execution Account on Reporting Server, and it is this account that will be used to connect to the Reporting data warehouse. You will need to determine what port number the computer running SQL Server on the Reporting data warehouse is using and enter this number into the dbo.MT_DataWarehouse table in the Operations Manager database. See How to Configure the Reporting Data Warehouse to Listen on a Specific TCP/IP Port in this guide.
Port Assignments
The following table shows Operations Manager 2007 component interaction across a firewall, including information about the ports used for communication between the components, which direction to open the inbound port, and whether the port number can be changed.
Operations Manager 2007 SP1 Component A Port Number and Direction Operations Manager 2007 SP1 Component B Configurable Note
1433 --->
Yes (Setup)
Yes (Setup)
No
Port 5724 must be open to install this component and can be closed after this component has been installed. 62
Configurable
Note
No No No Port 5724 must be open to install this component and can be closed after this component has been installed.
root management server root management server root management server Web console server
No No No Yes (IIS Admin) Port 51908 is the default port used when selecting Windows Authentication. If you select Forms Authentication, you will need to install an SSL certificate and configure an available port for https functionality for the Operations Manager 2007 WebConsole Web site.
Web console server 5724 ---> Web console browser 51908 --->
No
63
Configurable
Note
Agent installed using MOMAgent.msi Agent installed using MOMAgent.msi Agent installed using MOMAgent.msi gateway server Agent (Audit Collection Services forwarder) Agentless Exception Monitoring data from client Customer Experience Improvement Program data from client Operations console (reports)
5723 --->
Yes (Setup)
5723 --->
Yes (Setup)
5723 --->
Yes (Setup)
management server management server Audit Collection Services collector management server Agentless Exception Monitoring file share management server (Customer Experience Improvement Program End) Point SQL Reporting Services
51906 --->
51907 --->
80 --->
No
The Operations console uses Port 80 to connect to the SQL Reporting Services Web site.
Reporting server
1433 --->
Yes Yes
64
Configurable
Note
Services collector)
database
How to Configure the Operations Manager Database to Listen on a Specific TCP/IP Port
Perform the following steps to configure a static port for the Operations Manager database: y Use the SQL Server Configuration Manager to disable dynamic port addressing, specify a static port, disable and stop the SQL Server Browser service, and then restart the SQL Server <Instance> service. Edit the dbo.MT_ManagementGroup table with the static port number. Edit the registry to configure the static port number on the root management server. Caution Incorrectly editing the registry can severely damage your system. Before making changes to the registry, you should back up any important data. To configure the Operations Manager database port number 1. Log on to the computer hosting the Operations Manager database. 2. On the Windows desktop, click Start, point to Programs, point to Microsoft SQL Server 2005, point to Configuration Tools, and then click SQL Server Configuration Manager. 3. In the SQL Server Configuration Manager dialog box, expand SQL Server 2005 Network Configuration, and then click Protocols for <INSTANCE>. 4. In the results pane, right-click TCP/IP, and then click Properties. 5. In the TCP/IP Properties dialog box, click the IP Addresses tab. 6. Several IP addresses appear in the format IP1, IP2, up to IPAll. One of these is for the IP address of the loopback adapter, 127.0.0.1. Additional IP addresses appear for each IP address on the computer. Expand IP1, IP2, up to IPAll. 7. For the IPn areas, if the TCP Dynamic Ports dialog box contains a 0, indicating the Database Engine is listening on dynamic ports, delete the 0. 8. In the IPAll area, if the TCP Dynamic Ports dialog box contains a port number (which indicates the dynamic port number that was assigned), delete the port number. 9. In the IPAll area, in the TCP Port dialog box, enter the static port number you want to use, and then click OK. 10. In the SQL Server Configuration Manager dialog box, click SQL Server 2005 Services. 65
y y
11. In the SQL Server Configuration Manager results pane, right-click SQL Server Browser, and select Properties. 12. In the SQL Server Browser Properties dialog box, click the Service tab. 13. In the Service tab, click Start Mode. In the Start Mode list, click Disabled, and then click OK. 14. In the SQL Server Configuration Manager results pane, right-click SQL Server Browser, and then click Stop. 15. In the results pane, right-click SQL Server (<instance name>), and then click Restart. 16. Close the SQL Server Configuration Manager. To enter the SQL Server port number into the dbo.MT_ManagementGroup table 1. On the computer hosting the Operations Manager database, on the Windows desktop, click Start, point to Programs, point to Microsoft SQL Server 2005, and then click SQL Server Management Studio. 2. In the Connect to Server dialog box, in the Server type list, select Database Engine. 3. In the Server name list, type the server name, instance, and port number for your Operations Manager database (for example, computer\<instance>). 4. In the Authentication list, select Windows Authentication, and then click Connect. 5. In the Object Explorer pane, expand Databases, expand OperationsManager, expand Tables, right-click dbo.MT_ManagementGroup, and then click Open Table. 6. In the results pane, scroll to the right to the column titled SQLServerName_<guid>. 7. In the first row, enter computer\<instance> followed by a comma, a space, and then the SQL Server port number (for example, computer\INSTANCE1, <port>). 8. Click File, and then click Exit. To edit the registry on the root management server 1. Log on to the computer hosting the root management server. 2. On the Windows desktop, click Start, click Run, type regedit, and then click OK. 3. On the Registry Editor page, expand HKEY_LOCAL_MACHINE, expand SOFTWARE, expand Microsoft, expand Microsoft Operations Manager, expand 3.0, and then click Setup. 4. In the results pane, right-click DatabaseServerName, and then click Modify. 5. In the Edit String dialog box, in the Value data text box, append the database server name entry with a comma and a space, and then type the port number. For example, <comuter_name>\<instance>, <port number>. 6. Click OK.
66
How to Configure the Reporting Data Warehouse to Listen on a Specific TCP/IP Port
Perform the following procedures to configure a static port for the Reporting data warehouse: y Use the SQL Server Configuration Manager to disable dynamic port addressing, specify a static port, disable and stop the SQL Server Browser service, and then restart the SQL Server <Instance> service. Edit the dbo.MT_ManagementGroup table with the static port number. Edit the dbo.MemberDatabase table with the static port number. Edit the registry to configure the static port number on the root management server. Caution Incorrectly editing the registry can severely damage your system. Before making changes to the registry, you should back up any important data. y Edit the SQL Server Reporting Services settings. To configure the Operations Manager database port number 1. Log on the computer hosting the Reporting data warehouse. 2. On the Windows desktop, click Start, point to Programs, point to Microsoft SQL Server 2005, point to Configuration Tools, and then click SQL Server Configuration Manager. 3. In the SQL Server Configuration Manager dialog box, expand SQL Server 2005 Network Configuration, and then click Protocols for <INSTANCE>. 4. In the results pane, right-click TCP/IP, and then click Properties. 5. In the TCP/IP Properties dialog box, click the IP Addresses tab. 6. Several IP addresses appear in the format IP1, IP2, up to IPAll. One of these is for the IP address of the loopback adapter, 127.0.0.1. Additional IP addresses appear for each IP Address on the computer. Expand IP1, IP2, up to IPAll. 7. For the IPn areas, if the TCP Dynamic Ports dialog box contains a 0, indicating the Database Engine is listening on dynamic ports, delete the 0. 8. In the IPAll area, if the TCP Dynamic Ports box contains a port number (which indicates the dynamic port number that was assigned) delete the port number. 9. In the IPAll area, in the TCP Port dialog box, enter the static port number you want to use, and then click OK. 10. In the SQL Server Configuration Manager dialog box, click SQL Server 2005 Services. 11. In the SQL Server Configuration Manager results pane, right-click SQL Server Browser and select Properties. 12. In the SQL Server Browser Properties dialog box, click the Service tab. 13. On the Service tab, click Start Mode. In the Start Mode list, click Disabled, and then 67
y y y
click OK. 14. In the SQL Server Configuration Manager results pane, right-click SQL Server Browser, and then click Stop. 15. In the results pane, right-click SQL Server (<instance name>) and then click Restart. 16. Close the SQL Server Configuration Manager. To enter the SQL Server port number into the dbo.MT_ManagementGroup table 1. On the computer hosting the Operations Manager database, on the Windows desktop, click Start, point to Programs, point to Microsoft SQL Server 2005, and then click SQL Server Management Studio. 2. In the Connect to Server dialog box, in the Server type list, select Database Engine. 3. In the Server name list, type the server and instance for your Operations Manager database (for example, computer\INSTANCE1). 4. In the Authentication list, select Windows Authentication, and then click Connect. 5. In the Object Explorer pane, expand Databases, expand OperationsManager, expand Tables, right-click dbo.MT_DataWarehouse, and then click Open Table. 6. In the results pane, scroll to the right to the column titled MainDatabaseServerName_<guid>. 7. In the first row, enter computer\<instance> followed by a comma, a space, and then the SQL Server port number (for example, computer\<instance>, <port>). 8. Click File, and then click Exit. To enter the SQL Server port number into the dbo.MemberDatabase table 1. On the computer hosting the Reporting data warehouse, on the Windows desktop, click Start, point to Programs, point to Microsoft SQL Server 2005, and then click SQL Server Management Studio. 2. In the Connect to Server dialog box, in the Server type list, select Database Engine. 3. In the Server name list, type the server and instance for your Operations Manager database (for example, computer\<instance>). 4. In the Authentication list, select Windows Authentication, and then click Connect. 5. In the Object Explorer pane, expand Databases, expand OperationsManagerDW, expand Tables, right-click dbo.MemberDatabase, and then click Open Table. 6. In the results pane, scroll to the right to the column titled ServerName. 7. In the first row, enter computer\<instance> followed by a comma, a space, and then the SQL Server port number (for example, computer\<instance>, <port>). 8. Click File, and then click Exit. To edit the registry on the Reporting Server 68
1. Log on to the computer hosting the root management server. 2. On the Windows desktop, click Start, click Run, type regedit, and then click OK. 3. On the Registry Editor page, expand HKEY_LOCAL_MACHINE, expand SOFTWARE, expand Microsoft, expand Microsoft Operations Manager, expand 3.0, and then click Reporting. 4. In the results pane, right-click DWDBInstance, and then click Modify. 5. In the Edit String dialog box, in the Value data text box, append the database server name entry with a comma and a space, and then type the port number. For example, <comuter_name>\<instance>, <port number>. 6. Click OK. To edit SQL Server Reporting Services 1. Log on to the computer hosting the root management server. 2. Start Internet Explorer and connect to http://<computer name>/reports$<instance name>. 3. Click the Contents tab. 4. On the right side of the toolbar, click Show Details. 5. Click Data Warehouse Main. 6. In the Connection string text box, locate the line that reads source=<computer>\<instance>;initial. 7. Append the instance name with a comma and a space, and then type the static port number. For example, source=<computer>\<instance>, <port>;initial. 8. Click Apply, and then close the browser.
69
y
A certificate (and certification authority [CA] certificate) has been installed on the computer hosting the agent. For more information, see the topic Certificates in Operations Manager 2007 (http://go.microsoft.com/fwlink/?LinkId=91129).
On the computer hosting the ACS Collector, it is assumed that the following has been performed before setting up certificates for ACS. y A certificate (and CA certificate) has been installed on the management server hosting the ACS Collector. For more information, see the topic Certificates in Operations Manager 2007 (http://go.microsoft.com/fwlink/?LinkId=91129). The pending agent has been approved and communication between the agent and the management server is operating properly (the agent appears as Healthy in the Operations Manager Console and Management Packs have been deployed to the agent). For more information, see the topic How to Approve an Operations Manager 2007 Agent Installed for a Management Group Using MOMAgent.msi (http://go.microsoft.com/fwlink/?LinkId=91130). The ACS Collector and Database has been installed. For more information, see the topic How to Install an ACS Collector and Database (http://go.microsoft.com/fwlink/?LinkId=91142).
y
y
The following is a high-level overview of the steps that need to be performed to use certificates with ACS. Note Certificates used on various components in Operations Manager 2007 (for example, ACS Collector, ACS Forwarder, agent, gateway server, management server, or root management server) must be issued by the same CA. On the computer hosting the ACS Collector: y y y Run ADTServer -c. Map the ACS Forwarder Certificate in Active Directory. In the Operations Manager Console, enable ACS. Export the certificate to a disk, USB flash drive, or network share. Run ADTAgent -c.
See Also
How to Configure Certificates on the ACS Collector in Operations Manager 2007 How to Configure Certificates on the ACS Forwarder in Operations Manager 2007
70
Add. 9. In the Add Certificate dialog box, click the Look in menu, select the location where the exported certificate is located, and then click Open. 10. In the Add Certificate dialog box, ensure that Use Subject for alternate security identity is selected, and then click OK. 11. In the Security Identity Mapping dialog box, click OK. 12. Repeat steps 411 for each computer you have added.
See Also
Using Certificates with ACS in Operations Manager 2007 How to Configure Certificates on the ACS Forwarder in Operations Manager 2007
click Next. 15. On the File to Export page, click Browse. 16. On the Save As page, select a folder and file name for the certificate, ensure that the Save as type is set to DER Encoded Binary X.509 (*.cer), and then click Save. Note You will need to copy this certificate to the computer hosting the ACS Collector, so choose a location that the ACS Collector can read from, or consider saving the certificate to a disk, USB flash drive, or network share. In addition, it is recommended that you include the computer name in the file name if you are exporting certificates from more than one computer. 17. On the File to Export page, ensure that the path and file name are correct, click Next, and then click Finish. To run the adtagent command 1. On the Windows desktop, click Start, and then click Run. 2. In the Run dialog box, type cmd, and then click OK. 3. At the command prompt, type <drive_letter>: (where <drive_letter> is the drive where the Operating System is installed), and then press ENTER. 4. Type cd %systemroot% and then press ENTER. 5. Type cd system32 and then press ENTER. 6. Type adtagent -c and then press ENTER. 7. You will see a numbered list of certificates. Find the certificate used for Operations Manager, type the number in the list (should be 1), and then press ENTER. 8. Type exit to close the command window.
See Also
How to Configure Certificates on the ACS Collector in Operations Manager 2007 Using Certificates with ACS in Operations Manager 2007
To use agentless management, the management servers action account must also be a local administrator on the remote computer and must be in the same domain, or a trust relationship must exist between their domains. For example, an agent proxy running as a low privilege account will fail to the access WMI namespace, and therefore rules, scripts, and monitors will fail to run.
Installing the Web console results in the installation of a new Web site, and a new application pool into Internet Information Services (IIS). The new Web site is named Operations Manager 2007 Web console, and the new application pool is named OPWebConsoleApp. The default port for accessing the Web console from a browser using Windows-based authentication is 51908. During the installation of the Web console, you are prompted to select either Windows Authentication or Forms Authentication. With Windows Authentication, Microsoft strongly recommends using SSL. With Forms Authentication, SSL is required. Windows Authentication can be used if all of your users access Operations Manager from within the intranet. Note The Web console server must be installed on the root management server if you select Windows Authentication. If your users will be accessing the Web console from the Internet, select Forms Authentication. Note The best practice for accessing the Web console from the Internet is to use forms-based authentication with SSL with the Web console. With either forms-based or Windows-based authentication, the credentials you provide must be a member of a user role in Operations Manager 2007.
74
Report Operator
The Report Operator profile includes a set of privileges designed for users who need access to reports. A role based on the Report Operator profile grants members the ability to view reports according to their configured scope. Retrieve the instance of the data warehouse for the management group Write to favorite reports Delete favorite reports Read favorite reports Update favorite reports Read reports Run reports
Read-Only Operator
The Read-Only Operator profile includes a set of privileges designed for users who need readonly access to alerts and views. A role based on the Read-Only Operators profile grants members the ability to view alerts and access views according to their configured scope. Read alerts Retrieve the instance of the data warehouse for the management group Read state of a resolution Read instance of a connector Read console tasks Enumerate diagnostic objects Enumerate the results of diagnostics 75
Enumerate discovery objects as defined in a management pack Read discovery rules Read events Write to favorite console tasks Delete favorite console tasks Enumerate favorite console tasks Update favorite console tasks Write favorite views Delete favorite views Enumerate favorite views Update favorite views Enumerate monitoring objects Enumerate monitoring classes Enumerate monitoring relationship classes Enumerate management packs Enumerate monitor types Enumerate module types Enumerate monitors Enumerate overrides Enumerate performance data Enumerate discovery objects as defined in a management pack Enumerate the status of past recoveries Enumerate relationship between monitored objects Enumerate rules Enumerate saved searches Update saved searches Write to saved searches Delete saved searches Enumerate state Allows access to connected management groups Enumerate views Enumerate view types
Operator
The Operator profile includes a set of privileges designed for users who need access to alerts, views, and tasks. A role based on the Operators profile grants members the ability to interact with 76
alerts, run tasks, and access views according to their configured scope. The Operator profile contains all of the privileges found in the Read-Only Operator profile in addition to those listed below. Update alerts Run diagnostics Create favorite tasks Delete favorite tasks Enumerate favorite tasks Update favorite tasks Run recovery routines Update maintenance mode settings Enumerate notification actions Delete notification actions Update notification actions Enumerate notification endpoints Enumerate notification recipients Delete notification recipients Update notification recipients Enumerate notification subscriptions Delete notification subscriptions Update notification subscriptions Enumerate tasks Enumerate task status Run tasks
Advanced Operator
The Advanced Operator profile includes a set of privileges designed for users who need access to limited tweaking of monitoring configurations in addition to the Operators privileges. A role based on the Advanced Operators profile grants members the ability to override the configuration of rules and monitors for specific targets or groups of targets within the configured scope. The Advanced Operator profile contains all of the privileges found in the Operator and Read-Only Operator profiles in addition to those listed below. Update management packs Enumerate templates
77
Author
The Author profile includes a set of privileges designed for authoring monitoring configurations. A role based on the Authors profile grants members the ability to create, edit, and delete monitoring configuration (tasks, rules, monitors, and views) within the configured scope. For convenience, Authors can also be configured to have Advanced Operator privileges scoped by group. The Author profile contains all of the privileges found in the Advanced Operator, Operator, and ReadOnly Operator profiles in addition to those listed below. Create management packs Delete management packs Enumerate Run As Profiles
Administrator
The Administrator profile includes full privileges to Operations Manager. No scoping of the Administrator profile is supported. The Administrator profile contains all of the privileges found in the Author, Advanced Operator, Operator, and Read-Only Operator profiles in addition to those listed below. Create a resolution state Delete a resolution state Update a resolution state Deploy an agent Repair or update an installed agent Uninstall an agent Enumerate agent settings Update agent settings Enumerate agents Start or stop managing computers or devices via a proxy health service Enumerate computers or devices managed via a proxy health service Insert a new instance of a computer or device Delete an instance of a computer or device Run discovery task Create events Enumerate global settings Update global settings Export management packs Enumerate management servers Delete notification endpoint Update notification endpoint 78
Create performance data Create Run As Accounts Delete Run As Accounts Enumerate Run As Accounts Update Run As Accounts Create mappings between Run As Accounts and Run As Profiles Delete mappings between Run As Accounts and Run As Profiles Enumerate mappings between Run As Accounts and Run As Profiles Update mappings between Run As Accounts and Run As Profiles Create connected management groups Delete connected management groups Enumerate user roles Delete user roles Update user roles Write favorite reports Delete favorite reports Read favorite reports Update favorite reports Read reports Run reports
79
AIX 5.3 POWER AIX 6.1 POWER HPUX 11iv2 IA64 HPUX 11iv2 PARISC HPUX 11iv3 IA64 HPUX 11iv3 PARISC RHEL 4 x64 RHEL 4 x86 RHEL 5 x64 RHEl 5 x86 SLES 9 x86 SLES 10 x64 SLES 10 x86
scx-1.0.4-248.aix.5.ppc.lpp.gz scx-1.0.4-248.aix.6.ppc.lpp.gz scx-1.0.4248.hpux.11iv2.ia64.depot.Z scx-1.0.4248.hpux.11iv2.parisc.depot.Z scx-1.0.4248.hpux.11iv3.ia64.depot.Z scx-1.0.4248.hpux.11iv3.parisc.depot.Z scx-1.0.4-248.rhel.4.x64.rpm scx-1.0.4-248.rhel.4.x86.rpm scx-1.0.4-248.rhel.5.x64.rpm scx-1.0.4-248.rhel.5.x86.rpm scx-1.0.4-248.sles.9.x86.rpm scx-1.0.4-248.sles.10.x64.rpm scx-1.0.4-248.sles.10.x86.rpm
a8ef3ebbed8cef7e98030b77ce01079f 9d9a43a34576cc29cd150b947017d3fe 6d4faad6e35830d8df01cf2afcc33243 12a611c53a9f02b8c49be1a6d4966e58 855518128e2a96b976b2dbdca6dec164 5a08f1eadb99dc30d1ec25b2a8add395 4e6a0800d2a579c35837373ee988a3f2 5d059616e158d0cb0d36e43c81e4b218 1f47c05508f94ecd4329facbf6ff4d97 ac291fff0ae029c46b4bb9b0fc65226e 2a81ce3f40eabe605f1c8ddcad141c28 9911d90e16445b32ecc4d6aed9775ff1 04f77082ddb4c12da045b298dc1eab61 b3f5ab647d34d54b43f0810bb002f4c6 eb67396ee081155615b5a2d5e851a176 99ed166b51517b4356f66276b2b223dc dcf30dc553939aed648d0353342005cd
Solaris 8 SPARC scx-1.0.4248.solaris.8.sparc.pkg.Z Solaris 9 SPARC scx-1.0.4248.solaris.9.sparc.pkg.Z Solaris 10 SPARC Solaris 10 x86 scx-1.0.4248.solaris.10.sparc.pkg.Z scx-1.0.4248.solaris.10.x86.pkg.Z
80
Agent
File
SHA1
AIX 5.3 POWER AIX 6.1 POWER HPUX 11iv2 IA64 HPUX 11iv2 PARISC HPUX 11iv3 IA64 HPUX 11iv3 PARISC
2e33c132f73e8355f663c864e9c5f39ac4a7c1c0 e1836db997d1992fdf9a0d2c9b41938f5bf880ec
RHEL 4 x64 scx-1.0.4-248.rhel.4.x64.rpm RHEL 4 x86 scx-1.0.4-248.rhel.4.x86.rpm RHEL 5 x64 scx-1.0.4-248.rhel.5.x64.rpm RHEl 5 x86 scx-1.0.4-248.rhel.5.x86.rpm
7061fbaa60f7b7b260445a26a0783f2b663c18df a36c7c3abed1db65bf1c21d5d1eb0b30ef57afe3 c112b0093c020615ee93e61b32e8f705a0f324b3 9bf4a5e8acaf24497cd24bf16017a1b173cb1d50 63796e9167ce6a04fe82eb5202c3c98dfa0dd37c 391004f7535a7185d6817ed327c024b2d0e3777a b6b9923b47753d013b69f1abd638f1a9c0788234 08c2059863c4aaa5ee79790a83bb8f9da4b3240a 21f14b470de0e8d311c66d55e438c55688c5aadf de0ddcf80dce18e0599ec20d29b57145126cee55 499526bb43cb3ce9db6d7cf122b6bd5f15858bb4
SLES 9 x86 scx-1.0.4-248.sles.9.x86.rpm SLES 10 x64 SLES 10 x86 Solaris 8 SPARC Solaris 9 SPARC Solaris 10 SPARC Solaris 10 x86 scx-1.0.4-248.sles.10.x64.rpm scx-1.0.4-248.sles.10.x86.rpm scx-1.0.4248.solaris.8.sparc.pkg.Z scx-1.0.4248.solaris.9.sparc.pkg.Z scx-1.0.4248.solaris.10.sparc.pkg.Z scx-1.0.4248.solaris.10.x86.pkg.Z
81
AIX 5.3 POW ER AIX 6.1 POW ER HPUX 11iv2 IA64 HPUX 11iv2 PARI SC HPUX 11iv3 IA64 HPUX 11iv3 PARI SC RHEL 4 x64 RHEL 4 x86 RHEL 5 x64 RHEl 5 x86 SLES 9 x86 SLES 10
scx-1.0.4248.aix.5.ppc.lpp.gz
40f93e6c5dabc07ae983814bd24bae2f9f53448dcd51d5cb4ac4 3e47e51a2506
scx-1.0.4248.aix.6.ppc.lpp.gz
670e02e9af19bb3aea0593947676843faf6c360694bed41cd3a 0bc0fd20fbbcc
scx-1.0.4248.hpux.11iv2.ia64.de pot.Z
a60e92bcfb53b7d49bfb2dcc909690cb955800922fd54e496a27 796e684ec3fc
scx-1.0.48d43eab9b481d51f4b9efb74ec5eb03e08eb5d8556032e74558 248.hpux.11iv3.parisc.d 8e9b3a2eb327d epot.Z scx-1.0.4248.rhel.4.x64.rpm scx-1.0.4248.rhel.4.x86.rpm scx-1.0.4248.rhel.5.x64.rpm scx-1.0.4248.rhel.5.x86.rpm scx-1.0.4248.sles.9.x86.rpm scx-1.0.4248.sles.10.x64.rpm 382b7d7afd1075cc188626b59b8f48b1c7666bdfc29c6bed1ab3 e8191c9394fe 281d51128b98526f2223fcea93ebd72cf1b46ee81f4f5a65a08c 17d39c2fb7dc 6448da9d2fbdc75e662255edbf22e4523c38f614baf9a0bcea97 95a17be578d4 70408343a052ea77960315dd76ff70b9b42aad2c8c41c50997e 2d5e2d30f0b1d e628120ae89004d828bd8334330b2c44ea6cb165985b39149d 28084e8849f86a 20be0a828a355f907f9a8a7dedbd8900e83f9be14b304c10054 d9619b0c9998d 82
Agent
File
SHA256
x64 SLES 10 x86 Solari s8 SPAR C Solari s9 SPAR C Solari s 10 SPAR C Solari s 10 x86 scx-1.0.4248.sles.10.x86.rpm 854262692e324bcbf78501a6b5d5199a10b4e608bcbed6524a 82bee205d1f256
scx-1.0.4ad3754a5064d7733b7b096c111efbf5630927852c07b16ea079 248.solaris.8.sparc.pkg. 9bf7aefb1740a Z scx-1.0.481bec81c17ea8a86833accbda8c6045147b08f38b600b7cea0d 248.solaris.9.sparc.pkg. cc730a59b2d90 Z scx-1.0.4248.solaris.10.sparc.pk g.Z scx-1.0.4248.solaris.10.x86.pkg. Z a37a23b3ec25f8c1294c248d13cb73bbe5a7ea8fe2631bfbb42c 847f724a90da
54abb0189e2b70c13644c901dc495b045bdc1e2a087a634b22 2ca42b4826d6c9
83